(Sorry, accidentally hit send, ignore previous mail) On 12/15/2011 11:01 PM, Mick wrote:
Hi All,I've generated a cakey.pem and cacert.pem on my PC. Uploaded the cacert.pem to my router and used its gui to generate a CSR. When I try to sign this CSR file back on my PC I'm getting this error: ===================================== $ openssl ca -config ./openssl_VPN.cnf -days 1095 -cert cacert_VPN.pem -keyfile VPN_CA/private/cakey_VPN.pem -infiles certificate-router-request Using configuration from ./openssl_VPN.cnf Enter pass phrase for VPN_CA/private/cakey_VPN.pem: Check that the request matches the signature Signature ok The stateOrProvinceName field needed to be the same in the CA certificate (Buckinghamshire) and the request (Buckinghamshire) ===================================== I don't understand why I get this error. Both cacert and certificate-router- request files contain exactly the same ST= field. The cacert_VPN.pem shows: Issuer: C=GB, ST=Buckinghamshire, L= [snip ...] Subject: C=GB, ST=Buckinghamshire, L= [snip ...] and the CSR shows: Subject: C=GB, ST=Buckinghamshire, L= [snip ...]
Try repeating those output commands with the option -nameopt multiline,show_type to determine if the two disagree on the character encoding, spacing or other subtle aspect of the ST= part of the name. If it turns out to be such a subtle difference, please report it back to the list as a bug in the openssl code that handles the "match" option, and as a workaround change the field to "supplied" in the policy but manually inspect each CSR before deciding to sign it (This would not work if the match is also enforced by a path constraint in the CA cert). If it turns out not to be such a subtle difference (or no difference at all) please tell the list about it too.
Under the CA policy options in the configuration file I have: # For the CA policy [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional but given that the entries are the same, I am not sure why I get this error. Any suggestions?
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
